Air-gapping 2 devices vs. Trezor/Ledger?

[o_e_l_e_o]

https://eprint.iacr.org/2016/230.pdf

Now, I am by no means an expert on this so please correct me if I'm wrong, but reading this paper it seems this does not apply to most bitcoin wallets (emphasis mine):

Constant-time Implementations.

Constant-time implementations mitigate many side-channel leaks by ensuring a fixed execution path that does not depend on secret data, to prevent timing attacks [BB05]. Additionally, a constant memory access pattern is desired to avoid cache-based attacks [Ber05, Per05, OST06], as well as cache-induced differences in timing and electromagnetic behavior. For, EC scalar-by-point multiplication, the scalar can be represented in a regular way such that the DA-sequence does not depend on the nonce [JT09, Mol01b]; Moller [Mol01b] notes that these encodings may leak information when a point is added to itself, yet with a random scalar, as is the case in ECDSA, the probability of this leak is negligible. A constant-time implementation for some elliptic curves, on some 64-bit platforms, is included in OpenSSL [Kas12]. For Bitcoin’s secp256k1curve, the libsecp256k1 [Wui] implementation offers a constant-time, constant-memory-access implementation of ECDSA signing.

Bitcoin Core has been using libsecp256k1 since 0.10 in 2015. Which wallets are still using OpenSSL and not libsecp256k1?

The wrench attack can also happen to your bank account in a home robbery: having a verified account at any exchange is enough to be forced to deposit your life savings, after which the attacker buys Bitcoin with your money.

I would imagine most banks would put some kind of hold on a transfer if you suddenly decided to empty your entire account in a single transaction. I would also hope that people don't have their entire life savings sitting in a checking account with immediate access, because all you are doing there is slowly (or in some cases quickly) losing money as fiat constantly devalues. Most fiat accounts or investment vehicles which offer enough interest to at least match inflation require several days notice to access your money, although I assume this can vary quite widely between countries.

[1714850345]

1714850345

[1714850345]

1714850345

[1714850345]

1714850345

[LoyceV]

I would imagine most banks would put some kind of hold on a transfer if you suddenly decided to empty your entire account in a single transaction. I would also hope that people don't have their entire life savings sitting in a checking account with immediate access, because all you are doing there is slowly (or in some cases quickly) losing money as fiat constantly devalues. Most fiat accounts or investment vehicles which offer enough interest to at least match inflation require several days notice to access your money, although I assume this can vary quite widely between countries.

The limit here is usually 50k euro, although some banks have a 5k limit (and a few hours delay to increase it). Savings accounts are also fast, and stock brokers are fast too. Welcome to the Dutch banking system

[ranochigo]

https://eprint.iacr.org/2016/230.pdf

Now, I am by no means an expert on this so please correct me if I'm wrong, but reading this paper it seems this does not apply to most bitcoin wallets (emphasis mine):

-snip-

Bitcoin Core has been using libsecp256k1 since 0.10 in 2015. Which wallets are still using OpenSSL and not libsecp256k1?

Hopefully not, secp256k1 has a lot more benefits than that .

Thanks! Someone mentioned (I think a few weeks ago) that secp256k1 isn't that susceptible to certain sidechannel attacks but I couldn't find any literature on that. I didn't do any in depth research on the feasibility on the various other sidechannel attacks. But I suspect an attack could also be mounted on the encrypting/decrypting process of the wallet instead of the signing itself or through the RNG. Don't quote me on this, just a thought.

I've read through the firmware of ColdCard briefly and they did actually implement a few measures to reduce the signature.

[skyroamjanetismine]

Are AES encrypted USB Flash Drives (PNY or San Disk) susceptible to hardware exploits like the Trezor?

Another problem I see with Trezor is that if an officer stops you and searches you and knows what a Trezor is then he can take it, and from what I've read it only takes 15 minutes to hardware exploit it. Good luck trying to actual go through litigation and get it back or prove anything during that route.

I feel really uneasy with my Trezor knowing that hardware exploit is possible, especially in 15 minutes. And then Ledger is closed source which makes me uneasy. Ugh. Tough decisions.

[figmentofmyass]

the wrench attack angle is why i strongly prefer general purpose hardware. hardware wallets just scream "rob me!"

The wrench attack can also happen to your bank account in a home robbery: having a verified account at any exchange is enough to be forced to deposit your life savings, after which the attacker buys Bitcoin with your money.

what i'm talking about is akin to flashing wads of cash in public, where less savory opportunists might notice and come after you. this is why i wouldn't wanna bust out a hardware wallet in a retail setting, show it off in public, etc.

a home invasion is a targeted attack. that's some next level shit. i don't think anyone is targeting me for a home invasion just because i own a cheap netbook! call me paranoid, but announcing yourself as a dedicated crypto investor in public with a ledger or trezor---that may be a different story.

and that's the distinction i'm making---it's not really about hardware wallet vs other security models like airgapping a PC. if you use a hardware wallet only online in your own home, then what i'm saying doesn't apply.

[HeRetiK]

Are AES encrypted USB Flash Drives (PNY or San Disk) susceptible to hardware exploits like the Trezor?

No. But to software exploits, depending on how you handle it:

If you mean storing a wallet on an AES encrypted USB drive to then plug it into your computer when you want to make a transaction -- that's suspectible to any old malware attack and not much more secure than a regular hot wallet. Your private keys will get exposed as soon as you decrypt your wallet to make a transaction and if your computer is compromised so will be your wallet.

If you mean storing a wallet on an AES encrypted USB drive for use with an airgapped computer only, then you should be fine.

Another problem I see with Trezor is that if an officer stops you and searches you and knows what a Trezor is then he can take it, and from what I've read it only takes 15 minutes to hardware exploit it. Good luck trying to actual go through litigation and get it back or prove anything during that route.

I feel really uneasy with my Trezor knowing that hardware exploit is possible, especially in 15 minutes. And then Ledger is closed source which makes me uneasy. Ugh. Tough decisions.

What sort of officer has a bread board, fitting electronic components and the knowledge ready to build a Trezor glitching device on the go?

On a more serious note, use a strong passphrase. Even after someone extracts the seed it will then still take them a couple of millenia [1] to get through (at least with the technology available for the foreseeable future)

[1] https://coldbit.com/can-bip-39-passphrase-be-cracked/

[malevolent]

• If you can use webcams to transfer transactions back and forth via QR codes, then this removes the possibility of accidentally and unknowingly transferring malware via a USB drive. The webcams should be unplugged when not being actively used for your own privacy.

Given BadUSB and the like, if someone sees using a hardware wallet as a liability (ideally a Trezor with a passphrase as the closed source Secure Element in Ledger could one day lead to a critical vulnerability), webcams to read QR codes are the only reasonable alternative.

[ranochigo]

Are AES encrypted USB Flash Drives (PNY or San Disk) susceptible to hardware exploits like the Trezor?

Another problem I see with Trezor is that if an officer stops you and searches you and knows what a Trezor is then he can take it, and from what I've read it only takes 15 minutes to hardware exploit it. Good luck trying to actual go through litigation and get it back or prove anything during that route.

I feel really uneasy with my Trezor knowing that hardware exploit is possible, especially in 15 minutes. And then Ledger is closed source which makes me uneasy. Ugh. Tough decisions.

I don't find it too much of a problem. As long as you have a passphrase, the attacker would have a hard time trying to get your seed.

There are a lot more choices than those two companies, maybe you could try exploring your options. Regarding the attack, what makes you think that your devices would be more protected than your hardware wallet? Attacking Trezor requires the attacker to specifically extract the encrypted seed from the secure elements by desoldering it and using specialized tools, after that start to crack your keys. I've seen more vulnerabilities affecting mobile devices than most hardware wallet and they don't require special skills.

I feel like most attacks are often blown out of proportion and companies has been relatively quick (at least those competent ones) to respond and provide a mitigation to it.

[skyroamjanetismine]

Please critique my proposed setup:

1) Use a reputable-brand USB stick (Sandisk, PNY, Kingston). Put portable electrum, veracrypt, and wallet files on it. Encrypt it with 20+ character password using AES.

2) Use 2 raspberry pi devices. One always offline. One online , but only for crypto transactions.

3) Display. Do I need 1 for each device?

Could the online device get malware, transfer it to the display, and then display transfer it to the offline device?

4) When transferring the transaction file between devices do I need to use an encrypted USB for this?

[ranochigo]

1) Use a reputable-brand USB stick (Sandisk, PNY, Kingston). Put portable electrum, veracrypt, and wallet files on it. Encrypt it with 20+ character password using AES.

2) Use 2 raspberry pi devices. One always offline. One online , but only for crypto transactions.

A MicroSD card would be required for both devices. USB Flash drive would be necessary if you're transferring raw transactions across the online to offline device and signed transaction the other way.

3) Display. Do I need 1 for each device?

If you're thinking of using the QR code to transfer the raw transactions, then possibly. If not, a monitor/TV screen would be sufficient.

Could the online device get malware, transfer it to the display, and then display transfer it to the offline device?

Not that I've ever heard of. That'll have to be a very complex malware.

4) When transferring the transaction file between devices do I need to use an encrypted USB for this?

Depends. Are you afraid that the Flash drive could get stolen between the time the raw/signed transactions are deleted? If it's stolen, whoever opens that USB drive can see your transaction information and thus compromising your privacy. Security wise, it doesn't matter if it's encrypted or not.

I would wipe my flash drive every time after using it so I wouldn't think of encrypting it.

[o_e_l_e_o]

I don't follow the logic of putting these files in the USB drive. If you put your wallet on the USB and then move the USB back and forth between your two devices, including the one which has internet access, then you have completely negated the whole point of an airgapped setup.

For transferring transactions back and forth, the most preferable solution is to use QR codes and a webcam, to eliminate the possibility of accidentally transferring malware or your private keys on the USB drive. You can buy a Raspberry Pi camera module for $25.

[ranochigo]

I don't follow the logic of putting these files in the USB drive. If you put your wallet on the USB and then move the USB back and forth between your two devices, including the one which has internet access, then you have completely negated the whole point of an airgapped setup.

For transferring transactions back and forth, the most preferable solution is to use QR codes and a webcam, to eliminate the possibility of accidentally transferring malware or your private keys on the USB drive. You can buy a Raspberry Pi camera module for $25.

I'm not sure what's the configuration for the maximum size of QR codes in most wallets but I believe if the size of the transaction is too large, it would reach the limit of the maximum size allowable for the QR code after the error correction. Could be a bit difficult to scan for the QR code if the display/camera has a low resolution or if it's too small.

You can probably use a different encoded string within the QR code for a larger size but can be slightly more complicated.

[bob123]

1) Use a reputable-brand USB stick (Sandisk, PNY, Kingston). Put portable electrum, veracrypt, and wallet files on it. Encrypt it with 20+ character password using AES.

2) Use 2 raspberry pi devices. One always offline. One online , but only for crypto transactions.

Is there a reason you are using a dedicated device for broadcasting them?
I mean, it definitely doesn't hurt. But it's not that necessary. You could use your daily online PC for that.

Further, if you have one dedicated offline device.. what is the point of storing the wallet files encrypted on the USB flash drives?
Why not simply store it on the SD card of the raspberry pi encrypted?

3) Display. Do I need 1 for each device?

Could the online device get malware, transfer it to the display, and then display transfer it to the offline device?

Highly unlikely.
One display should be enough. At least if you aren't edward snowden and are being hunted by 3 letter agencies all around the world.

4) When transferring the transaction file between devices do I need to use an encrypted USB for this?

Not necessarily.
You'll only transfer data which isn't confidential. It might be worth to check the integrity by using signatures or encrypting it, but that's not necessary.

However, using cameras and QR codes to transfer data is a more secure way.

[o_e_l_e_o]

I'm not sure what's the configuration for the maximum size of QR codes in most wallets

If I'm not mistaken, the limit is 3 kB. That's big enough for a consolidation transaction with 20 inputs and one output, and also big enough for a pay-to-many with one input up to about 80 outputs, even when using all legacy addresses. That's more than enough for the vast majority of individuals who aren't running a shop or some other service. And you can always fall back on USB if you need to.

You could also save to clipboard and use a third party program to break that down in to multiple QR codes or even one animated code and reconstruct the transaction from that, but I'd always manually check everything if you do use any other software (in reality, I would manually check everything anyway).

[LoyceV]

I'm not sure what's the configuration for the maximum size of QR codes in most wallets

If I'm not mistaken, the limit is 3 kB.

According to qrencode:

The capacity of QR Code is up to 7000 digits or 4000 characters

However, I can't make one that large. I could copy your post 4 times (2820 characters), so it looks like 3 kB is indeed the maximum:

This works better than I expected!